1 Dual-E Security © 2001, Cisco Systems, Inc. New Dual Ethernet Security Solutions Sean Convery, Michael K. Jones, Jay Bazzinotti, Holly Linden, John Huie

1Dual-E Security © 2001, Cisco Systems, Inc.

New Dual Ethernet Security Solutions

Sean Convery, Michael K. Jones, Jay Bazzinotti, Holly Linden, John Huie

New Dual Ethernet Security Solutions

Sean Convery, Michael K. Jones, Jay Bazzinotti, Holly Linden, John Huie

1www.cisco.com

2© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security

AgendaAgenda

• Introduction & Market Overview – Sean Convery

• New Products:Introducing the Cisco 3002 VPN Hardware Client – Jay Bazzinotti

Introducing the Cisco PIX 501 Firewall – Michael K. Jones

Introducing the Cisco 806 Broadband Gateway Router – Holly Linden

Introducing the Cisco 1710 Security Access Router – John Huie

• Product Positioning & Competitive Products – Sean Convery

• Q&A


SAFE Security SAFE Security Blueprint & Cisco Blueprint & Cisco Security ProductsSecurity Products

SAFE Security SAFE Security Blueprint & Cisco Blueprint & Cisco Security ProductsSecurity Products


Extending SAFEExtending SAFE

Campus Module

ISP Edge ModuleISP Edge Module

CorporateServers

CorporateUsers

PublicServices

PSTN ModulePSTN Module Corporate Internet Module

PSTN

WAN ModuleFrame/ATM Mod.Frame/ATM Mod.

ManagementServers

ISP

FR/ATM


Cisco’s Dual Ethernet Security Platforms

Cisco’s Dual Ethernet Security Platforms

• Options for implementing security in teleworker, small office, and small to medium business environments

• Both dedicated security appliances or router based solutions with integrated security

• Secure access to a corporate network or to the Internet through a broadband connection (Ethernet WAN port)

• Features to meet the requirements of the SAFE Blueprint for Small to Medium Networks and Remote Users


Cisco Dual Ethernet Security Platform Positioning

Cisco Dual Ethernet Security Platform Positioning

Cisco 2600/3600Router

Cisco 2600/3600RouterCisco 1710 RouterCisco 1710 Router

TelecommuterTelecommuterMed Biz &

Enterprise BranchMed Biz &

Enterprise Branch

Small Business/Small

Branch

Small Business/Small

Branch

Cisco 806 RouterCisco 806 Router

Cisco 3002Hardware VPN Client

Cisco 3002Hardware VPN Client

Cisco PIX 501 FirewallCisco PIX 501 Firewall

IOS Router Based Security

FW Appliance Based Security

VPN Appliance Based Security

Cisco PIX 515R FirewallCisco PIX 515R Firewall

Cisco PIX 506 FirewallCisco PIX 506 Firewall


Products

Cisco 3002 VPN Hardware ClientCisco PIX 501 Firewall

Cisco 806 Broadband Gateway RouterCisco 1710 Security Router

Products

Cisco 3002 VPN Hardware ClientCisco PIX 501 Firewall

Cisco 806 Broadband Gateway RouterCisco 1710 Security Router


Cisco VPN 3002 Hardware Client

Cisco VPN 3002 Hardware Client

• The Cisco VPN 3002 Hardware Client provides remote access VPN - it looks like a VPN client to the central site

• The VPN 3002 has two primary functions: It is simple to deploy – policy, config, upgrades are pushed to the device: supports DHCP client/server &

PPPoE host/client

It scales to very large networks (>50,000 units) –no central site configuration is required as forLan-to-Lan devices

• The VPN 3002 is a Broadband device with optional8 port 10/100 switch supporting up to 253users on the private LAN

• The VPN 3002 works with any Operating System

• The VPN 3002 includes Auto Upgrade allowing for fast, simple, hands- off upgrades for up to thousands of devices

• The VPN 3002 provides 2.2Mbps 3DES performance


Cable LockPhysically lock device like a PC

8 Port 10/100 MB Auto-sensing Ethernet LAN Switch w/ Activity LEDS - Connect to Private Ethernet network devices

Ethernet (to WAN) PortConnects to any WAN device, xDSL, Cable modem, router, etc.(auto-sensing)

Power ConnectorSecurely connects power supply

Console PortConnects to PC, terminal or modem for configuration or out of band access

Processor • Motorola 8255 Power PC 150Mhz

Memory• Dual Flash Images• 16 Mb DRAM• 8 Mb Flash• 8Kb NVRAM

Recessed ResetAllows Reset to Factory Defaults

FIPS Secure ChassisConforms to FIPS-140 Level 2

Convection CooledSilent, Fan Free Operation

LEDs (front)Power, SystemHealth, Tunnel Up, PPPoE status

Cisco VPN 3002® Hardware Client Features





Access/Performance Operating System Independent – works with any OS

PPPoE client/server, DHCP client/server, supports up to 253 users per unit (with or w/o 8 port switch)

2.2Mbps 3DES performance: 10Mbps clear text

Remote Access client or Site-to-Site operation with Load Balancing and Failover

IPSec/NAT transparency

Connects Cisco devices supporting the Unified protocol specification

Security Makes a single tunnel, Outbound connections only

Use NAPT (Network Address Port Translation)

Pushes security policy from central site – remote user has no control

Supports pre-shared secret and digital certificates Management

Built in web server or CLI for local, remote config

Supports SSL/SSH over the tunnel or Out-of-Band console/modem port

Automatically upgrades itself

Eliminates the need for central site config in most cases

Scales to 10s of thousands of sites

Can be reset to factory defaults by local/remote command or by switch

SNMP, Syslog, LED and other diag/troublshooting


Included

Power Cord (US or Worldwide)

Software (VPN, Client, Security)

$2008 Port 10/100 Auto-sensing Switch

Cables

$995 Cisco VPN 3002 Hardware Client

Included

Included

Included




Introducing theCisco PIX® 501 Firewall

Introducing theCisco PIX® 501 Firewall

• Extends market-leading Cisco PIX Firewall

product family to remote users, providing customers an end-to-end security solution

• Extends market-leading Cisco PIX Firewall

product family to remote users, providing customers an end-to-end security solution

• Compact, reliable, plug ‘n play security appliance that provides:

• Enterprise-class security features• High-speed small office networking• Robust remote manageability

• Compact, reliable, plug ‘n play security appliance that provides:

• Enterprise-class security features• High-speed small office networking• Robust remote manageability

• Ideal security appliance for small offices, teleworkers and small businesses using broadband-based Internet connections

• Ideal security appliance for small offices, teleworkers and small businesses using broadband-based Internet connections


Cisco PIX® 501 FirewallOverview

Cisco PIX® 501 FirewallOverview

Product HighlightsProduct Highlights

• Intuitive, web-based PIX Device Manager • Scaleable, multi-firewall management using Cisco Secure Policy Manager 3.0 • Supports other standards including telnet, SSH, TFTP, SNMP and syslog

• Intuitive, web-based PIX Device Manager • Scaleable, multi-firewall management using Cisco Secure Policy Manager 3.0 • Supports other standards including telnet, SSH, TFTP, SNMP and syslog

Robust RemoteManageability

Enterprise-classSmall / Home Office Security Appliance

• Robust stateful inspection firewalling• VPN for secure access to remote networks• Intrusion protection and much more…

• Robust stateful inspection firewalling• VPN for secure access to remote networks• Intrusion protection and much more…

Plug ‘n PlaySmall OfficeNetworking

• Integrated 4-port 10/100 Mbps switch • Integrated DHCP client and server• Includes dynamic/static NAT and PAT support

• Integrated 4-port 10/100 Mbps switch • Integrated DHCP client and server• Includes dynamic/static NAT and PAT support


Cisco PIX® 501 FirewallSpecifications

Cisco PIX® 501 FirewallSpecifications

• Supports full Cisco PIX Firewall feature-set• Runs same software images as all other PIX platforms• First PIX platform with new plug ‘n play factory default configuration

• Supports full Cisco PIX Firewall feature-set• Runs same software images as all other PIX platforms• First PIX platform with new plug ‘n play factory default configuration

SoftwareFeatures

HardwareFeatures

• 133 MHz AMD Processor• 16 MB SDRAM, 8 MB Flash Memory• Silent, convection cooled design – no fan needed• Compact 6.25x5.5x1” (WxDxH”) form factor• Integrated lock slot for improved physical security

• 133 MHz AMD Processor• 16 MB SDRAM, 8 MB Flash Memory• Silent, convection cooled design – no fan needed• Compact 6.25x5.5x1” (WxDxH”) form factor• Integrated lock slot for improved physical security

• 10 Mbps cleartext firewall throughput• 6 Mbps DES VPN performance• 3 Mbps 3DES VPN throughput• 3,500 concurrent connections

• 10 Mbps cleartext firewall throughput• 6 Mbps DES VPN performance• 3 Mbps 3DES VPN throughput• 3,500 concurrent connections

PerformanceMetrics


Cisco PIX® 501 FirewallProduct Pricing

Cisco PIX® 501 FirewallProduct Pricing

10 to 50 user license upgrade, $700Encryption license: DES $0, 3DES $100Spare AC power supply, $60

10 to 50 user license upgrade, $700Encryption license: DES $0, 3DES $100Spare AC power supply, $60

Upgrades /Spares

Bundles PIX 501 with 10 user and DES licenses, $595PIX 501 with 10 user and 3DES licenses, $695PIX 501 with 50 user and DES licenses, $1195PIX 501 with 50 user and 3DES licenses, $1295

PIX 501 with 10 user and DES licenses, $595PIX 501 with 10 user and 3DES licenses, $695PIX 501 with 50 user and DES licenses, $1195PIX 501 with 50 user and 3DES licenses, $1295

PIX 501 chassis with PIX OS 6.1(1) software, $595User license: 10 users $0, 50 users $600Encryption license (optional): DES $0, 3DES $100

PIX 501 chassis with PIX OS 6.1(1) software, $595User license: 10 users $0, 50 users $600Encryption license (optional): DES $0, 3DES $100

ConfigurableChassis andOptions


Cisco 806 Broadband Gateway Router

Cisco 806 Broadband Gateway Router

Secure, shared broadband gateway with the power of Cisco IOS® technologies for Small Offices and Telecommuters

Multi-user access

Business-class Security & VPN

Manageability & reliability with Cisco IOS Software

Video, voice, and traffic management with QoS One standardized router platform

for diverse broadband technologies


Cisco 806 ArchitectureCisco 806 Architecture

Cable LockPhysically secures router

10 MB Ethernet LAN HubConnect to Ethernet network devices

Ethernet WAN PortConnects to broadband modem or Ethernet Switch

Locking Power ConnectorSecurely connects power supply

Console PortConnects to PC or terminal for configuration

To Hub/To PC Button Determines the Ethernet device and cable type used for Ethernet Hub

Processor •RISC MPC855T@50MHz

Memory•Runs from DRAM•DRAM Default: 16MB •DRAM Max: 24MB•FLASH Default: 12 MB•FLASH Max: 12 MB


Cisco 806 FeaturesCisco 806 Features

Multiuser Access

Network Address Translation (NAT)

4-port hub

PPPoE client/server, DHCP client/server, unlimited users (20 recommended)

Business-Class Security

NAT, Extended ACLs, Stateful Firewall, DoS detection, IPSec DES/3DES

Reliability & Manageability with Cisco IOS Software

Remote Monitoring, troubleshooting, and s/w management

Web configuration tool (CRWS) & Cisco Config Express

Interoperates with IOS routers and Cisco VPN 3000 concentrators

Video, Voice, and Traffic Management with QoS

Multicast support, QoS for IP phones*

*QoS features in Q4 CY ‘01


$100IP Firewall

Cisco 806 US List PricesCisco 806 US List PricesCisco 806 US List PricesCisco 806 US List Prices

IP Feature Set

$250*IP Firewall Plus IPSec 3DES

$100 IP Plus

$649 Cisco 806 + IP Software

Included

$350VPN Security Bundle – Includes IP FW Plus 3DES Image plus Memory

*Requires additional Memory


Introducing the Cisco 1710 Security Access Router

Introducing the Cisco 1710 Security Access Router

• Comprehensive SecurityVPN Encryption and Tunneling

Stateful Inspection Firewall

Intrusion Detection

Virtual LAN Support

• High-Performance VPNWire-speed 3DES VPN Encryption at T1/E1 speed

• Advanced routing and QoS Features

• Remote Management

Business-class security and advanced routing through the power of Cisco IOS® Technologies


Cisco 1710 ArchitectureCisco 1710 Architecture

• Dual-Ethernet (10/100 LAN, 10BT WAN)

• IEEE 802.1Q VLAN

• Onboard/Default Memory

16MB Flash/32MB DRAM

• Hardware Encryption (IPSec 3DES up to T1/E1 and 100 Tunnels)

• Console Port and Auxiliary Port up to 115 kbps


Cisco 1710 Comprehensive Features

Cisco 1710 Comprehensive Features

• Secure Internet, Intranet, ExtranetVPN, Stateful Firewall/IDS

• Tunneling IPSec, L2TP, GRE, L2F

• IP/Host ManagementPPPoE Server/Client, DHCP Server/Client, NAT/PAT

• Protocol Support Routed: IP, IPX, AT, IBM/SNA

Routing: RIP, OSPF, IGRP

• Traffic Management (QoS)IP Multicast, LLQ, WFQ, CAR


Cisco 1710 Pricing Cisco 1710 Pricing

• Cisco 1710: US List $1,295

(IP Plus/Firewall/IDS/IPSec 3DES)

• IOS Software Upgrade: US List $400

(IP/IPX/AT/IBM/Plus/FW/IDS/IPSec 3DES)


Product Positioning & Competitive Information

Product Positioning & Competitive Information


When to SellWhen to Sell

The Cisco 3002 VPN Hardware Client is best for any company with multiple branch offices, home offices or remote sites desiring secure remote access VPN and high scalability, simple deployment and minimal ongoing management

The Cisco PIX 501 Firewall is best for small office and teleworker environments that require market-leading security capabilities including stateful inspection firewalling, VPN, intrusion protection and more in a compact, cost-effective, all-in-one security appliance

The Cisco 806 Broadband Gateway Router is best for Small Office & Teleworker Customers who require integrated security with firewall & VPN support in a Cisco IOS router based solution

The Cisco 1710 Security Router is best for customers who require a comprehensive security and advanced routing solution which features high-performance VPN, integrated firewall, Cisco IOS routing, QoS, and VLAN support in an all-in-one device for small and medium-sized businesses and branch offices


Key Technical DifferencesKey Technical Differences

• Cisco IOS based Ethernet to Ethernet routersPro: Best deployed in environments when a rich set of QoS, routing, and general networking features are needed in addition to VPN and security.Con: Configuration of security and VPN services on a general purpose OS is more prone to user error. Network based model limits individual user accountability.

• Cisco PIX FirewallsPro: Best deployed in environments that need comprehensive network security services including firewall, VPN, intrusion protection and more in a purpose-built appliance.Con: Limited networking features beyond security and VPN. Network based model limits individual user accountability.

•Cisco Hardware VPN Client Pro: Dynamic, user-based policy push allows large scale deployments. Best used when manageability of the remote sites is key.Con: No stateful firewall, limited networking features beyond VPN.


Dual Ethernet Security – Key Competitors

Dual Ethernet Security – Key Competitors

• NetScreen – Security appliance, aggressively priced, good performance, no routing functionality, does not have as robust security features as PIX 501 ($495-$995)

• SonicWALL – Security appliance, good performance, no routing functionality, higher costs for 10 & 50 user licenses with VPN, does not have as robust security features as PIX 501 ($495-$1490)

• Nortel - VPN hardware device, large footprint, noisy, expensive ($750-$1495)

• Nokia/Check Point – Check Point SW with Nokia HW, high cost, scaled down” version of Check Point FW, only allows static IPs, no VPN Capabilities ($895 (base hardware) plus SW $299 - $2499)

• Linksys – Low cost consumer router, no VPN support, extremely limited “firewall” capabilities, poor performance ($150-$250)


SummarySummary

• Cisco has the most complete portfolio of security products to meet the needs of enterprise teleworkers, branch offices and small to midsized businesses

• Cisco allows customers to choose from dedicated security appliances and router based security solutions

• Cisco’s dual ethernet security platforms fit into the SAFE Blueprint for Small & Midsized Networks and Remote Users


Q & AQ & A


Additional SlidesAdditional Slides


Cisco Dual Ethernet Security Platform Comparison

Cisco Dual Ethernet Security Platform Comparison

Product PIX 501 VPN 3002 806 1710Base MSRP $595 or $1,195 $995 or $1,195 $649 $1,2953DES MSRP $100 Included $350 (SW + 4Mb) IncludedPhysical Size (WxDxH") 6¼ x5½x1” 8x6x2” 9¾x8½x2” 11x3x8.7"Inside Interface 4-FE Switch 1-FE or 8-FE Switch 4-10BaseT Hub FEOutside Interface 10BaseT, Half FE 10BaseT, Half 10BaseT, HalfClear-text (Mbps) 10 10 9 93DES (Mbps) 3 2.2 400 Kbps 4Users 10 or 50 Unlimited Unlimited, 20 sugg. UnlimitedConcurrent VPN Tunnels 5 VPN Peers 1 10 100Stateful Firewall Yes, PIX No Yes, IOS FW Yes, IOS FWContent Filtering Yes, Java/ActiveX No Yes, CBAC Yes, CBACURL Filtering Yes, 3rd Party No No NoIntrusion Protection Yes No No YesAAA Support Yes Yes Yes YesNAT/PAT Yes Yes Yes YesSite-to-Site VPN Yes Network Ext Mode Yes YesVPN User Termination Yes No Yes YesVPN NAT Transparency No Yes No NoIndividual User Auth Yes, Cut-through Proxy Yes Yes, Lock&Key Yes, Lock&KeyLocal Security Policy Editing Optional Now in Beta (FCS Dec) Optional OptionalDHCP Client & Server Yes (32 or 128 leases) Yes (253 Leases) Yes (253 Leases) Yes (253 Leases)IP Phone DHCP Support No (Q1) Yes Yes YesPPPoE Support No (Q1) Yes Yes YesVLAN (802.1Q) No No No YesQoS / Rate Limiting TOS Preservation TOS Preservation Yes + Q4:LLQ, CAR YesWeb-Based GUI Yes (No VPN) Yes Setup Only NoSNMP & Syslog Support Yes Yes Yes YesVPNSC Support Limited Yes Yes YesConfig Express Support No No Yes Yes


Internet Creates a Security Risk

Internet Creates a Security Risk

“

”

The 2000 survey conducted by the Computer Security Institute revealed

90 percent of respondents detected at least one security breach in the last

year.

Computer Security Institute


Worldwide BroadbandMarket Forecast

Worldwide BroadbandMarket Forecast

0M

20M

40M

60M

80M

100M

120M

2000 2001 2002 2003 2004

Su

bs

cri

be

rs

DSL Cable Fixed Wireless• IDC, 2001


275% VPN Market Growth275% VPN Market Growth

YearYear

Expenditures(U.S. $)

$41B

$11B$10B

$20B

$30B

$40B

$50B

2001 2002 2003 2004 2005

$2B

$7B

ServicesServices

Products Products $3B

$5B $6B

$20B

$30B

$36B

Source: IDC May 2001

Documents

1 Dual-E Security © 2001, Cisco Systems, Inc. New Dual Ethernet Security Solutions Sean Convery, Michael K. Jones, Jay Bazzinotti, Holly Linden, John Huie